|
Disable Guest account and remove all rights (note: if using with Internet Information Server then ensure that web user account has permission to access appropriate directories and the right to “LOG ON LOCALLY”
Limited access can be permitted for casual users through the built-in Guest account. If the computer is for public use, the Guest account can be used for public log-ons. Prohibit Guest from writing or deleting any files, directories, or registry keys (with the possible exception of a directory where information can be left).
In a standard security configuration, a computer that allows Guest access can also be used by other users for files that they don’t want accessible to the general public. These users can log on with their own user names and access files in directories on which they have set the appropriate permissions. They will want to be especially careful to log off or lock the workstation before they leave it.
Logging Off or Locking the Workstation
|
Completed
|
Not implemented
|
Not applicable
|
STATUS
|
|
|
|
Users should either log off or lock the workstation if they will be away from the computer for any length of time. Logging off allows other users to log on (if they know the password to an account); locking the workstation does not. The workstation can be set to lock automatically if it is not used for a set period of time by using any 32-bit screen saver with the Password Protected option. For information about setting up screen savers, see Help.
Install password protected screen saver that automatically starts if workstation is not used for 5-15 minutes
|
Completed
|
Not implemented
|
Not applicable
|
STATUS
|
|
|
|
Normally, you can shut down a computer running Windows NT Workstation without logging on by choosing Shutdown in the Logon dialog box. This is appropriate where users can access the computer’s operational switches; otherwise, they might tend to turn off the computer’s power or reset it without properly shutting down Windows NT Workstation. However, you can remove this feature if the CPU is locked away. (This step is not required for Windows NT Server, because it is configured this way by default.)
To require users to log on before shutting down the computer, use the Registry Editor to create or assign the following Registry key value:
Hive:
|
HKEY_LOCAL_MACHINE\SOFTWARE
|
Key:
|
\Microsoft\Windows NT\Current Version\Winlogon
|
Name:
|
ShutdownWithoutLogon
|
Type:
|
REG_SZ
|
Value:
|
0
|
The changes will take effect the next time the computer is started. You might want to update the Emergency Repair Disk to reflect these changes.
Hiding the Last User Name
|
Completed
|
Not implemented
|
Not applicable
|
STATUS
|
|
|
|
By default, Windows NT places the user name of the last user to log on the computer in the User name text box of the Logon dialog box. This makes it more convenient for the most frequent user to log on. To help keep user names secret, you can prevent Windows NT from displaying the user name from the last log on. This is especially important if a computer that is generally accessible is being used for the (renamed) built-in Administrator account.
To prevent display of a user name in the Logon dialog box, use the Registry Editor to create or assign the following registry key value:
Hive:
|
HKEY_LOCAL_MACHINE\SOFTWARE
|
Key:
|
\Microsoft\Windows NT\Current Version\Winlogon
|
Name:
|
DontDisplayLastUserName
|
Type:
|
REG_SZ
|
Value:
|
1
|
| 